Stop Threats Faster
Vaishali Ghiya & Dwann HallJuniper Networks
This statement of direction sets forth Juniper
Networks’ current intention and is subject to
change at any time without notice. No purchases
are contingent upon Juniper Networks delivering
any feature or functionality depicted in this
presentation.
This presentation contains proprietary roadmap
information and should not be discussed or shared
without a signed non-disclosure agreement (NDA).
Data is the new Gold AS VALUE INCREASES SO DOES CYBERCRIME
80%of black-hat
hackers are
affiliated with
organized
crime
2.1$
Cybercrime will become a
TRILLION
business By 2019
357MNew unique pieces of
malware in 2016
1 IN131In 2016
emails contained malware,
the highest rate in five years
1.1Bidentities were exposed in 2017
360KRansomware attacks in 2016
Source: Symantec Internet Security Threat Report 2017, Verizon 2016 Data Breach Investigations Report
5
Today’s Threats Are More Complex Than Ever
Realize threats are everywhere. They are already inside. They walked in your front door
Recognize perimeter security isn’t enough. Malware walks in with the employee
Detection and Enforcement should be enabled anywhere
Acknowledge security is everyone’s problem – horizontal and vertical
Sandboxw/Deception
StaticAnalysis
ATP
Sky Advanced
Threat Prevention Cloud
Software Defined Secure Networks: Network As A Firewall
Security Director + Policy Enforcer
Policy Enforcement, Visibility, Automation
SRX Physical Firewall
vSRXVirtual Firewall
MX Routers*
EX & QFX Switches
Third Party Elements*
DETECTION
POLICY
Detection(Machine Learning)
Centralized
policy push
EnforcementMulti-cloud
1 2
34
Network asa Firewall
DETECTION
ENFORCEMENT
Manual Threat Workflows
Threat Detection Enforcement Delays
Vendor specific threat feeds
Multiple Teams
Automated Threat Remediation
Automation across Network & Security
Open API and 3rd Party Threat Feed Collation
Cohesive Threat Management System
SDSN – Threat Remediation Use Case
Incident Response
Net-Sec Operations
EndpointSecurity
Malware Found
TKT
TKT
Feed
Feed
SDSN Simplified Scenario: Traveling Employee
!
Arrivals Departures
www.pdf.com
SDSN Simplified Scenario: Sunnyvale HQ
L2 VLAN
!
SDSN Simplified Scenario: Sunnyvale HQ
L2 VLAN
Command & Control Server
01010101010101010 01110101 01101110 01101001 01110000
Customer
SRX
Sandboxw/Deception
StaticAnalysis
ATP
Sky Advanced
Threat Prevention Cloud
Infected Laptop AddressMAC: 3A-34-52-C4-69-b4
IP: 172.16.254.3
Sandboxw/Deception
StaticAnalysis
ATP
Sky Advanced
Threat Prevention Cloud
SDSN Simplified Scenario:Sunnyvale Campus
Command & Control Server
L2 VLAN
Third PartyThreat Intel
Security Director + Policy Enforcer
Policy Enforcement, Visibility, Automation
SRX
Physical Firewall
vSRX
Virtual Firewall
MX Routers*
EX & QFX Switches
Third Party Elements*
DETECTION
POLICY
DETECTION
ENFORCEMENT
POLICY
Quarantined
Sandboxw/Deception
StaticAnalysis
ATP
Sky Advanced
Threat Prevention Cloud
SDSN Simplified Scenario: San Francisco Campus
Command & Control Server
L2 VLAN
Third PartyThreat Intel
Security Director + Policy Enforcer
Policy Enforcement, Visibility, Automation
SRX
Physical Firewall
vSRX
Virtual Firewall
MX Routers*
EX & QFX Switches
Third Party Elements*
POLICY
DETECTION
ENFORCEMENT
Quarantined
DETECTION
Infected Laptop Address MAC: 3A-34-52-C4-69-b4
NEW IP: 174.12.254.3
SDSN Simplified: Network As a Firewall
Sandboxw/Deception
StaticAnalysis
ATP
Sky Advanced
Threat Prevention Cloud
Security Director + Policy Enforcer
Policy Enforcement, Visibility, Automation
SRX Physical Firewall
vSRXVirtual Firewall
MX Routers*
EX & QFX Switches
Third Party Elements*
DETECTION
POLICY
Detection(Machine Learning)
Centralized
policy push
EnforcementMulti-cloud
1 2
34
Network asa Firewall
DETECTION
ENFORCEMENT
SRX Product Line EvolutionNew hardware platforms & software innovations
8U, 960Gb/s
1U, 5 Gb/s
SRX5800
00
SRX5600
SRX1500SRX550
SRX5400
5U, 480 Gb/s
16U, 2Tbps
Compact
Campus
Mid-sized Data
Center
Large Data
Center
Very Large
Data Center
/SP
Branch
Refresh
MIDRANGE
HIGH END
SRX300/320/
340/345
LOW END
BRANCH &SECURE ROUTER
SMALL CAMPUS
ENTERPRISE EDGE/SMALL DATA CENTER DATA CENTER
vSRX – Virtual SRX
4 Gb/s (2 vCPU)
20 Gb/s (upto 10 vCPU)
Small Data
Center
NDA: Juniper Networks Company Confidential All performance estimates are IMIX
SRX4100
1U, 20 Gb/s
SRX4200
1U, 40 Gb/s
SRX4600
1U, 80 Gb/s
SRX4800
3U, 320 Gb/s
Small RU footprint 1U, 2 SKUs with 20G and
40G Throughput
Low power consumption
8 ports of 10G
Based on off-the-shelf hardware components
X86 CPU for advanced security services
Platform
Significant improvement in price/performance
Excellent FW/NAT IMIX performance for Mid-
range Firewall (20Gbps to 40Gbps)
Excellent NGFW performance
(5 Gbps to 10 Gbps)
Dramatically improved throughput, session &
connections per second scale
Performance Targets
SRX 4100 & SRX 4200 High Performance Mid-range Platform
Juniper Confidential – Subject to Change
Security Director: Application Visibility1. Interactive/Graphical
Summary of
Applications.
2. Data from different
angles.
3. Who is using what
4. Perform correcting
and troubleshooting
actions - –identify,
allow, block or limit
usage
5. Toggle to launch to
details Grid view
1 2
3
5
4
Security Director: Threat Map1. Map shows threat count
by region
2. Easy to filter according to
threat type, severity, and
source/destination
3. Table has ability to filter
map results and view
related events
- Table shows details of
threat events according to
filters
4. Ability to zoom into a
region for filtered threat
view details
1
2
3
4
01101010 01110101 01101110 01101001 01110000
Sky Advanced Threat PreventionSolution Overview
Customer
SRX
Juniper Cloud
Customer
Sandboxw/Deception
StaticAnalysis
ATP
1. SRX extracts potentially malicious objects and files
2. SRX sends potentially malicious content to Advanced Threat Prevention cloud
3. Advanced Threat Prevention cloud performs static and dynamic analysis
4. Advanced Threat Prevention cloud provides malware results and C&C server data to the SRX
5. SRX blocks known malicious file downloads and outbound C&C traffic
Sky Advanced
Threat Prevention Cloud
Cloud Infrastructure
Multiple
Anti-Virus
Cache
Inline
Blocking
Sandbox
Static
Analysis
Sky Advanced Threat Prevention Cloud
Potentially
malicious files
Behavioral
AnalysisDeception
Machine Learning
• Verdicts determined at every level
• Additive verdict determination ensures accuracy
• Over 50 deception techniques employed to trick malware into exposing itself
Juniper Advanced Threat Detection – Lateral Spread
Internet
Perimeter
SMART ANALYTICS
Lateral threat migration indicates
progression through cyber kill chain.
Collectors capture that traffic too.
Malicious Email
Malicious Web
Hybrid Cloud: vSRX in Transit VPC for AWS
vSRX vSRX
VPC 1 VPC 2 VPC N
Internet
Transit VPC
VPN overDirect Connect
Backup VPN
AZ 1 AZ 2
Transit VPC
• Inter-VPC connectivity over VPN
• Security group securing VPC workloads
• Inter-VPC security (IDS/IPS, NextGen Firewall) on vSRX
• Redundancy through dynamic routing - BGP
• Fully automated – VPNconnections to new VPCs with zero touch
vSRX differentiators
• High performance
• Integrated routing and security
• Higher scale of VPC support
Juniper Security Services Overview
SRX Foundation Services
Next Generation Firewall
Services
Firewall NAT VPN Routing
Application Control &
Visibility
User-based Firewall
Unified Threat Management
(Known Threats)
Anti-virus
Intrusion Prevention Web/Content Filtering
Anti-spam
Threat Intelligence
Platform
Botnets/C&C
GEO-IP
Custom Feeds, APT
Management Reporting Analytics Automation
Cloud Based
Advanced Anti-Malware
(Zero Day)
Sandboxing
Evasive Malware
Rich Reporting, Analytics
Advanced Policy Based Routing (AppRoute/APBR)
Applications N
MPLS
Internet
Corporate HQ
Branch
Enterprise App Server
PY-EZ
One JUNOS Software
OPEN PLATFORM
Juniper Automation and Orchestration Solution
ON-BOX
OFF-BOX
THIRD PARTY
API BASED
Ruby-EZ SLAX ZTP
SDN
NETCONF
MHNorthStar
JUNOS Space
Contrail
JUNOS SDK Network Director Security Director
Puppet Chef Ansible
OpenClosJuniper Openstack Plug-in Juniper Cloudstack Plug-in
JUNOS SDK
26
Live Demo
Software Defined Secure Network Demo – Aruba
Enforcement on Cisco Switch
Dwann A. Hall
Sr. Security Solutions Specialist
Solution Components
Product Description
Junos Space 17.1R2 Network Management Platform
Security Director 17.1R2 PE UI and SRX policy deployment
Policy Enforcer 17.1R2 (PE) User intent policy for threat management, deployment with
Juniper Switches as well as integration with Aruba Clear
Pass and Cisco ISE for 3rd party Switch enforcement
SRX with Sky ATP Sky ATP for threat detection and feeds
v/SRX for malware file scanning and policy enforcement
Aruba Clear Pass / Cisco ISE Integration w/ Network Access Control (Radius/802.1x)
Juniper and (or) 3rd party
Switches
Infected host tracking and enforcement (block/quarantine)
SDSN in a Third-Party Switched NetworkSKY ATP
SRX
EX/QFX
EX/Cisco
Radius Access Server
Cisco S/W
1. End user authenticates to
network via 802.1x or mac
authentication
2. Sky detects End Point getting
the infected
3. Policy Enforcer downloads the
Infected Host Feed.
4. PE enforces the Infected Host
policy with the 3rd Party SW
Connector calling the generic
API
5. 3rd Party Connector
• queries AAA Server for
Endpoint details for Infected
Host IP
• initiates CoA for the Infected
Host mac.
6. CoA action could be block or
quarantine vlan.
7. Enforcement happens on the
NAC device End Point
authenticated on.
8. Policy enforcer Communicated
the end host details back to sky
1
2
3
6
7
Juniper 3rd Party Wireless
Policy Enforcer
3rd Party
SW
Connector
Cloud
Feed
Server
Feed
Collector
Policy
Controller
Remote
Feed
Server
Connector
Framework
Connector
API
4
5
Demo SDSN Enforcement via Aruba Clear Pass
User vlan 10Quarantine vlan 99
DEMO
Juniper SDSN Network as a FirewallKey Take Aways
Deploy alongside your existing firewalls • No changes required to existing firewalls
Automates the threat remediation in a significantly reduced time• Block or quarantine any infected host from connecting to the network
Stop threats faster - minimize horizontal spread of malware• Significantly reduce business impact